Call us on 03450 21 21 51

An expert eye and an objective view: why get external support with your Business Continuity Planning
The SRM Blog

An expert eye and an objective view: why get external support with your Business Continuity Planning

Ian Armstrong

Written by Ian Armstrong

19th December 2019

Share this article


Complacency is one of the biggest threats to a business. Whether it’s being happy to coast along and do the bare minimum to turn a profit, neglecting to provide genuine customer service or failing to take steps to mitigate the effects of an unforeseen threat, apathy is an organisation’s worst enemy. To have a realistic chance of withstanding any business threat, business leaders need to build a challenge-based culture into their business continuity planning (BCP).

What do we mean by this? All too often employees – even senior managers – can find themselves bogged down in the day-to-day running of the business, making it difficult to appraise their own organisation dispassionately and analytically. Even for those businesses that have put the time and resources aside to create an initial Business Continuity Plan, it can be difficult to review and amend a business on the hoof. This is especially true in companies that are going through a period of rapid growth or have experienced significant change in a short period of time.

Of course, it’s not just cyber threats that an organisation has to be aware of; it can be any form of risk. Fire, flood, terrorist attacks and physical thefts can all cause significant damage to a business and make it difficult to recover from.

Knowing that you shouldn’t rest on your laurels or be content with the dated Business Continuity Plan you have in place, is one thing; finding the resource to tackle the challenge is another. While some business leaders may feel they have the in-house expertise to keep their business continuity plan agile and responsive, many find that the best solution is to engage outside help to provide an expert eye and an objective view.

So, how do you know whether your business would benefit from engaging a consultancy to assist with your business continuity planning?


1. You have not updated your plan in a while

Research from the industry-respected Ponemon Institute reveals that 26 per cent of IT and IT security professionals from UK companies have some sort of cyber resilience plan, but that 49 per cent of these have not been updated or reviewed since they were first put in place. Whether it’s a cyber resilience plan or a broader BCP, it’s important not to let those agreed processes and procedures gather dust. If you haven’t looked at yours in a while, it’s a sure sign that you could do with a bit of assistance.


2. You are familiar with your own BCP but have no knowledge of the wider picture

It is extremely difficult to challenge your BCP if you are overly familiar with it. After all, if you have developed the plan you have already covered all the threats you know about. But what about those you don’t? An external consultancy can bring a fresh pair of eyes to your plan and they have the benefit of working on a number of other BCPs in similar sectors. Having an impartial individual working with in-house teams undoubtedly makes it easier to identify weaknesses in a plan and ask those challenging questions that might be an accidental blind spot for employees.

The advantage of working with a cyber security consultancy, in particular, is that you will be encouraged to assess your BCP in light of some lesser-known threats that require specific steps to rectify and recover from.


3. You have not tested your plan

With careful preparation you may feel content that you have a good BCP in place. But this is where complacency can creep in. Because although you can anticipate a crisis, until you put your plan to the test you will have no idea how well it will work. It is worth running test exercises, responding to a range of possible scenarios to see where the potential weaknesses are. This can be anything from a fire drill to red team engagement to put your digital estate through its paces.

Consultants with first-hand experience of enacting BCPs and experience in conducting table top exercises will ensure that the project is completed with minimal disruption while delivering maximum benefit in a cost-effective manner. They can also advise on remedial action and help to develop a forward-thinking strategy.

The fact that a consultant has not been associated with the existing systems in place is also of importance. Those who manage the existing BCP may have knowledge of shortcuts or details in the recovery process that are not explicitly documented. This is relevant because it isn’t necessarily the case that those creating and managing a continuity plan will ultimately be the ones implementing it during a recovery phase.


4. You don’t think it applies to you

Every organisation, regardless of size, ought to have a BCP in place – one that includes a Disaster Recovery (DR) plan. Consider the Touche Ross report (2017), which found that 90% of businesses without a disaster recovery plan fail after a problem. Yet a 2019 survey showed that 75% of small businesses have no DR plan in place. The same survey showed that 93% of companies without a DR plan, who suffered a data breach, are out of business within a year.

While a DR plan deals with the steps required for a crisis, the BCP establishes a route map for a swift return to business as usual. An experienced consultant can scale a BCP to your business, including a robust DR plan, delivering maximum value for the budget.


5. You don’t have a step-by-step plan in the event of a crisis

The key to an effective BCP is planning. You need to have a clear route map that details every step needed to be taken in a range of disaster scenarios. For example, reporting requirements, customer support and press relations. If this doesn’t exist in your organisation, it could be time to draft in some external support.

Professional outside support will ensure that you have all your ducks in a row. You will know exactly what to do, who to inform and who is responsible for each step. Your whole plan will be tighter and more effective and focusing on what you require, not on what you don’t, will ensure that the process is managed in a timely and cost-effective manner.


Fail to plan . . . Plan to fail!


Learn more about Business Continuity Consulting from SRM.

Back to top